05/29/2015

Review of Kevin Mitnick Video

by ZixCorp

I hardly recognized Kevin Mitnick when I met him at RSA back in April. He looked nothing like the dour, baggy eyed and stubble chinned image in his wanted poster from 1994. He was fresh faced and ebullient, and there was a constant flow of fans, young and old, lining up to meet him or to renew his acquaintance. In the world of on-line security, he is a superstar. So you will not be surprised to hear that when I was offered the opportunity to preview the upcoming video of Mr. Mitnick’s interview by Geoff Bibby, I jumped at the chance. And I have to say, the video is both enthralling and jaw-dropping. There is no flannel or padding in the 40 minute video: from the get-go, the interviewer gets straight into meaty questions. The first thing Mr. Mitnick tells us about is hacking into the unencrypted emails of companies for which he is doing penetration testing. Not only can he penetrate the organizations themselves, but also he can monitor human and automatically generated system-log messages and trouble tickets. That is, he reads the emails of the security experts to see if they are detecting his penetration. In the studio, Kevin has set up a demo that includes three laptops: one plays the part of the user’s device; one is the company server through which the first laptop sends emails, while the third laptop is the one belonging to a hacker. The user and the server are connected via optical fiber, just as they would be in the real world, and Kevin introduces a $400 fiber tap device between the user and the email server that immediately reads all the unencrypted emails passing between them. He then goes on to reveal all kinds of tricks of the trade including altering POP email settings so that your email account will send blind copies of your every email automatically to a separate account controlled by the hacker – even after the fiber tap has been removed. Kevin also talks about his current job as a penetration consultant and that he has to test many ways of defeating company IT systems, unlike the hackers who only need to find a single way in. Perhaps the biggest surprise is that hackers generally do not need to defeat company firewalls. All they have to do is monitor unencrypted emails to get usernames and passwords sent in the clear that then let the hackers impersonate legitimate network users, thereby bypassing security measures. The video is due for release on June 17th as an on-demand webinar, and you can be one of the first to see it by registering here.